BNPL regulation update 2025: What risk leaders need to know now

The regulation of Buy Now, Pay Later (BNPL) products has been on the horizon for some time. With the Treasury’s May 2025 consultation response, the direction is now confirmed: from mid-2026, third-party buy-now-pay-later (BNPL) lenders will be brought under the oversight of the Financial Conduct Authority (FCA).

This will mean new expectations around affordability, creditworthiness, consumer redress, product disclosures, and governance. And while the regulatory scope may feel familiar, the depth and immediacy of what’s required will demand more than procedural updates.

Risk leaders now have a window to define a strategy that enables their firm to operate, grow, and compete in a regulated BNPL environment.

Here’s a breakdown of what this update means for firms.

What the new BNPL regime covers

From mid-2026, third-party BNPL providers must be authorised by the FCA and comply with its rules on affordability, creditworthiness, consumer duty, complaints, disclosures, and more:

• Mandatory, proportionate affordability and creditworthiness checks
  Firms must demonstrate verifiable checks at the point of decisioning, aligned to individual circumstances, not just product type.
• Access to the Financial Ombudsman Service (FOS)
  BNPL customers can now escalate complaints to FOS, increasing the importance of auditable redress processes and timely resolution.
• Tailored disclosure requirements for digital-first products
  The FCA will introduce a bespoke regime focused on real-world comprehension — not just information delivery. Firms will need to test and evidence understanding.
• Extension of Section 75 protections to BNPL agreements
  Providers will be jointly liable for qualifying claims, requiring clear merchant oversight, governance controls, and capital planning to manage new exposure.

Certain information requirements under the existing Consumer Credit Act will be disapplied where not appropriate for BNPL, with the FCA tasked with designing a bespoke disclosure regime instead.

Merchant-offered BNPL, by contrast, remains outside this initial scope. The government has chosen to exempt credit agreements made directly between merchants and consumers under Article 60F(2) of the Regulated Activities Order. However, this position is subject to ongoing review. A key priority will be to prevent regulatory arbitrage or consumer harm emerging from unregulated merchant activity.

What this means for risk and compliance teams

Meeting the new BNPL expectations will require more than policy tweaks or added controls. The FCA is signalling a significant change in how firms evidence customer protection. They don’t just want to know that controls exist but that they work in practice.

Affordability and creditworthiness must now be embedded in the foundation of decisioning frameworks.

This includes reassessing how models are designed and calibrated, as well as applying proportionate checks that reflect product risk (e.g., short-term, interest-free credit). It’s also key to evidence that customers can repay without harm, even at low-value thresholds, aligning with the consumer duty principle of delivering good outcomes for customers. And monitor affordability over time, not just at onboarding.

Complaint handling frameworks must evolve to meet FOS expectations.
This will require:

• Robust record-keeping and audit trails for key decisions
• Clear escalation paths and redress mechanisms
• MI reporting on complaint themes and customer outcomes
• Training for frontline teams on BNPL-specific issues and FOS referral processes
  
  

Joint liability under Section 75 introduces new risk exposure.
Firms will need to:

• Establish oversight controls for merchant partners
• Define liability terms within contracts and monitor fulfilment disputes
• Reflect potential Section 75 claims in capital planning (estimated at 0.5–1.2% of transaction values)
  
  

Risk and compliance must take the lead in joining up siloed processes.
A credible programme will require collaboration across:

• Credit risk and decisioning
• Compliance and financial crime
• Product and legal
• Operations and complaints handling
  
  

The FCA expects evidence of cultural alignment (not just policy adherence).
That means:

• Disclosures tested for real-world comprehension, not just regulatory formatting
• Product oversight (PROD) aligned with actual customer usage and outcome data
• Clear SM&CR ownership for affordability, complaints, and customer risk
• MI and governance forums that track how protections translate into consumer outcomes

Making the best use of the Temporary Permissions Regime (TPR)

To manage the transition, the FCA will implement a Temporary Permissions Regime (TPR). This will allow current BNPL providers to continue operating while they apply for full authorisation.

But the window will be narrow and firms need to be ready.

1. Navigating the registration window

The FCA will announce registration dates shortly after the statutory instrument is enacted. Risk teams must prepare ahead of time. This includes evidencing pre-regulatory activity, providing business model explanations, and ensuring internal documentation aligns with regulatory expectations.

2. Conducting a pre-authorisation health check

A structured review should cover all key areas, including: customer journey design and decisioning, affordability and creditworthiness frameworks, complaint handling policies and auditability, financial crime controls (KYC/KYB and transaction monitoring), and operational resilience and third-party dependency mapping.

3. Dual-track planning

Firms will need to meet TPR conditions while also preparing full authorisation submissions. This includes governance documentation, capital planning, risk frameworks, and resource mapping.

4. Engaging with the FCA

Proactive engagement with the regulator will help reduce uncertainty and demonstrate intent. Open channels with the FCA will also support clarity in grey areas.

5. Contingency planning

Risk leaders should plan for delays or rejections. Firms must prepare customer communications, wind-down procedures, and continuity measures in case full authorisation is not achieved.

Balancing regulatory integrity with digital-first innovation

The government’s decision to disapply aspects of the Consumer Credit Act recognises that BNPL products operate differently. These are short-term, interest-free agreements, typically accessed via mobile apps or embedded checkout experiences. Expecting consumers to digest lengthy, formal disclosures in that context is unrealistic.

Instead, the FCA has committed to designing a tailored, digital-first disclosure regime. This creates both an opportunity and a responsibility.

Done well, this is an opportunity to enhance consumer comprehension, particularly for those at a higher risk of harm. But the regulator has been clear: it won’t be enough to provide the information. Firms must demonstrate that customers understand it.

To meet this standard, risk and compliance teams will need to work closely with digital, product, legal, and behavioural insight functions to build a disclosure approach that’s:

• Contextual — integrated into real customer journeys, not surfaced as a static document.
• Accessible — optimised for mobile formats and responsive design.
• Actionable — supported by prompts, signposting, or flags that help users navigate decisions in real time.
• Evidenced — tested through behavioural feedback, comprehension tracking, and complaints data.

Examples of good practice might include:

• In-line pop-ups that explain payment obligations before checkout
• Smart nudges when cart values exceed affordability thresholds
• Layered disclosures that allow users to click deeper without overwhelming them
• Real-time behavioural analytics to monitor drop-off points or confusion triggers
  
  

Firms that treat this as a regulatory burden will struggle to keep pace. But those that invest in disclosure design as a core consumer protection tool will be better placed to evidence outcomes, support vulnerable groups, and maintain customer trust.

Competitive asymmetry and the merchant carve-out

One of the most debated aspects of the government’s plan is the decision to exempt merchant-offered BNPL products—at least for now. Under Article 60F(2) of the Regulated Activities Order, agreements made directly between merchants and consumers are not subject to the same authorisation and oversight requirements as third-party lenders.

This exemption has raised concerns among existing BNPL providers, trade associations, and legal commentators. The core issue is fairness. Third-party lenders will be absorbing considerable regulatory costs, while merchants offering similar functionality may not.

The government’s rationale is that third-party lenders pose greater risk, and that the volume and complexity of merchant-offered BNPL products remain limited. But this position is far from settled. The Treasury has committed to monitoring the merchant segment and intervening if scale or harm increase.

Harper James, among others, has highlighted the potential for regulatory arbitrage, particularly if large e-commerce platforms extend unregulated BNPL services to a wide audience. This could introduce market distortion, consumer confusion, and ultimately reputational risk for the sector.

Risk leaders should:

• Monitor merchant product developments and prepare for potential perimeter expansion
• Review all third-party merchant partnerships for regulatory dependencies
• Revisit financial promotions and credit broking arrangements, particularly where merchants promote BNPL products without broking permissions
  
  

Cost expectations and market impact

The Treasury’s Regulatory Impact Assessment outlines the estimated cost of compliance with the new BNPL regime. It anticipates:

• An Equivalent Annual Net Direct Cost to Business (EANDCB) of £2.3 million
• A Net Present Value of -£20.1 million over the assessment period

At the firm level, the projected costs are significant and include:

• Authorisation application fees: £5,000 to £25,000
• Annual supervision fees: £10,000 to £50,000
• Technology upgrades: £500,000 to £2 million per provider for systems supporting affordability, reporting, and complaints
• Section 75 exposure: Estimated at 0.5% to 1.2% of transaction values

Given the UK’s estimated £20 billion in annual BNPL transactions, Section 75 liability alone could equate to £100 million to £240 million per year in sector-wide contingent liabilities.

These figures explain why market consolidation is expected. Treasury economic modelling suggests that between 20% and 30% of UK BNPL providers could exit the market within two years of implementation. However, consumer demand continues to rise.

GlobalData forecasts show that the global BNPL market reached $349.4 billion in GMV in 2023 and is projected to grow at over 19% annually through 2028. For UK providers, that means a larger regulated market ultimately shared among fewer, better-prepared firms.

How leading providers are responding

Several prominent providers have already taken visible steps to prepare for FCA regulation:

Klarna

In early 2025, the Swedish Financial Supervisory Authority identified AML and KYC deficiencies in Klarna’s global operations, citing gaps in risk assessments and customer onboarding processes. Klarna UK responded by enhancing its affordability framework, introducing:

• Income verification tools
• Real-time spending pattern analysis
• Risk-based onboarding processes
  
  

These changes were made not only to satisfy regulatory expectations, but also to improve customer segmentation and decisioning.

Monzo Flex

Monzo built its BNPL offering with affordability and transparency as core design principles. Flex includes:

• Built-in affordability checks
• Real-time payment tracking
• Standardised credit reporting
  
  

This approach positioned Monzo as a lower-risk entrant and has allowed it to move quickly toward full regulatory alignment.

PayPal

PayPal has drawn on its dual-regulated experience in payments and lending to implement a cross-functional BNPL compliance programme. Key elements include:

• A dedicated team for regulatory implementation
• Certified compliance training for relevant staff
• Documentation of governance and internal audit frameworks
  
  

Each of these examples demonstrates how firms are using the upcoming regulation as a lever—not just to meet requirements, but to improve internal controls, differentiate in the market, and reduce remediation risk down the line.

5 priorities for risk leaders right now

For BNPL providers, the next 12 to 18 months are critical. The strongest programmes will not be those that simply implement what’s required, but those that use this regulatory moment to align risk, governance, and commercial goals.

Here are five areas where risk leaders should focus:

1. Broaden the compliance lens

Affordability is only one part of the picture. Firms also need to review:

• Complaints handling and redress
• Financial crime controls
• Credit broking and financial promotions
• Operational resilience
• Third-party risk and oversight governance
  
  

A joined-up risk framework will be key to sustaining compliance under full FCA supervision.

2. Integrate protections into customer journeys

Firms must design affordability checks, disclosures, and escalation paths into customer-facing journeys—not bolt them on afterward. These protections must be efficient to operate, easy to evidence, and scalable.

Disclosures in particular will require careful testing. Customer understanding will be a regulatory outcome measure, so “compliance by form” is no longer enough.

3. Budget for implementation and sustainability

Technology upgrades will represent a large one-off cost, but so will the day-to-day demands of regulated BNPL operations:

• FCA reporting and MI
• Governance committee support
• Regulatory audit and review cycles
• FOS escalation case management
  
  

Risk and finance teams should align early to ensure compliance is fully costed—both now and post-2026.

4. Anticipate changes in regulatory scope

While merchant-offered BNPL is excluded for now, this could change rapidly. Firms should avoid designing operating models that are overly dependent on merchant exemptions or assume status quo partner obligations.

Build in flexibility to scale compliance and oversight if merchant obligations are expanded.

5. Use compliance as a lever, not just a shield

The firms that lead on transparency, fairness, and affordability will be better positioned to attract merchants, secure funding, and build long-term customer trust. 

From response to advantage

BNPL regulation is no longer hypothetical. The Treasury has committed. The FCA is preparing. And by mid-2026, third-party BNPL will be regulated lending, with all the operational, cultural, and supervisory expectations.

Risk leaders now have a defined window to act. Those who engage early, resource properly, and integrate compliance into product and governance strategy will emerge stronger. Those who delay may find the transition more disruptive and the competition more prepared.

This is more than a set of obligations. It’s an opportunity to build trust, enhance operational maturity, and define what responsible BNPL lending should look like in a regulated environment.

Want to understand how the new BNPL rules impact your risk strategy? We’re helping firms assess their models, frameworks, and controls ahead of 2026. Book a diagnostic session.